This may sound like a frivolous question, but those in the security field will receive it. Should I allow the user to enter any number of characters if it is greater than 0 characters. My logic is:
- the password will be hashed and salty anyway, and
- This is more fun for those making a rainbow table to NOT have any length / other recommendations, but
- My concern is brute force dictionary attacks.
Am I kinda on the right track with this?
Since I am asking the lower limit question, can I also ask about the upper limit? Again, it will be hashed and salty, so db size is not a problem. Then the only problem I can think of in this case is the buffers are bigger than anything else, right?
Update For those who are late for a question
So the general consensus seems to confirm what I initially thought the risk of brute force was increasing. However, the work of RT crackers will not be so complicated due to the fact that they have no indication of size. In fact, this can be simplified, since in any case they begin with the lower symbol tables. Right? (Not to mention the non-technical issues that have now come up with a look at someone’s shoulder, etc., which are not so important for a longer password.)
So, the conclusion: even if you have a hash / salt password, short passwords still pose a risk
However, for long passwords, I'm not sure if I have a definitive answer? Should I worry about buffer overflows, it is still a constant input field.
Chris